Then I thought that I might be able to test other TCP blocking rules by setting the IP packet's time-to-live (TTL) to a small number and looking for ICMP time expired packets. To do this I needed to use tcptraceroute to get the core functionality. On the Mac I got this from fink.

If I get some response, the firewall is NOT blocking an outgoing port. If I get stars (* * *) then it probably is blocking the port.

#!/bin/bash

echo "Testing blocked outgoing port..."

# set TTL to 2 hops: host to ADSL router, ADSL router to ISP gateway

# if the ISP responds to TCP TTL timeouts then a blocked port should get '2 *'

# whereas an open outgoing port should get something more complicated like this: